[support] mipv6 error

Sebastien Decugis sdecugis at hongo.wide.ad.jp
Mon May 18 14:02:50 JST 2009 

Hi,

Thank you for sending the files. I don't see any problem with the
configuration, sorry.

Just a verification: do you start the daemons in the following order?
HA: smpd iked mip6d
MN: smpd iked mip6d

Apart from this, I don't see any reason why racoon2 can not recognize
the TS on the HA, since mip6d is supposed to install the matching rule.
You'll have to debug this... Sorry! Please send feedback on the list if
you find the issue, this can be useful for others too...

Best regards,
Sebastien.


qhtf126 a ¨¦crit :
> hi,
>
> ha.conf :
> # Home Agent address: 3ffe:0:0:2::1
> # MN Home address : 3ffe:0:0:2::2
>
> remote MobileNode {
> ikev2 {
> my_id x509_subject "/etc/openssl-ca/public-www/cacert.pem";
> peers_id x509_subject
> "/etc/openssl-ca/clients/certs/mn.mydomain.com.cert";
> kmp_auth_method { rsasig; };
> my_public_key x509pem
> "/etc/openssl-ca/public-www/cacert.pem"
> "/etc/openssl-ca/private/cakey.pem";
> peers_public_key x509pem
> "/etc/openssl-ca/clients/certs/mn.mydomain.com.cert"
> "";
> };
> };
>
> # Policy and selector for protecting the BU/BA messages for Home
> Registration.
> policy HomeRegBinding {
> remote_index MobileNode;
> ipsec_mode transport;
> action auto_ipsec;
> ipsec_index { ipsec_esp; };
> ipsec_level require;
> peers_sa_ipaddr 3ffe:0:0:2::2;
> my_sa_ipaddr 3ffe:0:0:2::1;
> install off;
> };
> selector HomeRegBinding_out {
> direction outbound;
> dst 3ffe:0:0:2::2;
> src 3ffe:0:0:2::1;
> policy_index HomeRegBinding;
> upper_layer_protocol 135 6 5;
> reqid 201; # Note: you may choose whatever value you want but must be
> in sync with mip6d.conf and unique.
> };
>
> # Policy and selector for protecting the MPS/MPA messages for Mobile
> Prefix Discovery.
> policy MobPfxDisc {
> remote_index MobileNode;
> ipsec_mode transport;
> action auto_ipsec;
> ipsec_index { ipsec_esp; };
> ipsec_level require;
> peers_sa_ipaddr 3ffe:0:0:2::2;
> my_sa_ipaddr 3ffe:0:0:2::1;
> install off;
> };
> selector MobPfxDisc_out {
> direction outbound;
> dst 3ffe:0:0:2::2;
> src 3ffe:0:0:2::1;
> policy_index MobPfxDisc;
> upper_layer_protocol 135 93 92;
> reqid 203;
> };
>
> # Tunnel all traffic between MN and HA when the MN is not at home.
> policy TunnelPayload {
> remote_index MobileNode;
> ipsec_mode tunnel;
> action auto_ipsec;
> ipsec_index { ipsec_esp; };
> ipsec_level require;
> peers_sa_ipaddr 3ffe:0:0:2::2;
> my_sa_ipaddr 3ffe:0:0:2::1;
> install off;
> };
> selector TunnelPayload_out {
> direction outbound;
> dst 3ffe:0:0:2::2;
> src 3ffe:0:0:2::1;
> policy_index TunnelPayload;
> reqid 205;
> };
>
> *********************************************
> mip6d.conf :
>
> NodeConfig HA;
>
> ## If set to > 0, will not detach from tty
> DebugLevel 10;
> Interface "eth1"; # the interface that serves the Home Link
>
> UseMnHaIPsec enabled;
> KeyMngMobCapability enabled; # currently has no effect, but should be set.
>
> IPsecPolicySet {
> HomeAddress 3ffe:0:0:2::2/64;
> HomeAgentAddress 3ffe:0:0:2::1;
>
>
> IPsecPolicy HomeRegBinding UseESP 201; # the value must match reqid
> from racoon2 conf
> IPsecPolicy MobPfxDisc UseESP 203;
> IPsecPolicy TunnelPayload UseESP 205;
> }
> **************************************************
> default.conf :
> #
> # default section
> #
> default
> {
> remote {
> ikev2 {
> logmode normal;
> kmp_sa_lifetime_time 10 min;
> kmp_sa_lifetime_byte infinite;
> max_retry_to_send 3;
> interval_to_send 10 sec;
> times_per_send 1;
> kmp_sa_nego_time_limit 60 sec;
> ipsec_sa_nego_time_limit 40 sec;
> kmp_enc_alg { aes192_cbc; aes128_cbc; 3des_cbc; };
> kmp_prf_alg { hmac_md5; hmac_sha1; aes_xcbc; };
> kmp_hash_alg { hmac_sha1; hmac_md5; };
> kmp_dh_group { modp1024; modp1536; modp2048; modp3072; };
> kmp_auth_method { dss; };
> random_pad_content on;
> random_padlen on;
> max_padlen 50 bytes;
> };
> acceptable_kmp { ikev2; };
> };
>
> policy {
> ipsec_mode transport;
> ipsec_level require;
> };
>
> ipsec {
> ipsec_sa_lifetime_time infinite;
> ipsec_sa_lifetime_byte infinite;
> };
>
> sa {
> esp_enc_alg { aes128_cbc; 3des_cbc; };
> esp_auth_alg { hmac_sha1; hmac_md5; };
> };
> };
> ipsec ipsec_ah_esp {
> ipsec_sa_lifetime_time 28800 sec;
> sa_index { ah_01; esp_01; };
> };
> ipsec ipsec_esp {
> ipsec_sa_lifetime_time 28800 sec;
> sa_index esp_01;
> };
>
> sa ah_01 {
> sa_protocol ah;
> ah_auth_alg { hmac_sha1; hmac_md5; };
> };
> sa esp_01 {
> sa_protocol esp;
> esp_enc_alg { aes128_cbc; 3des_cbc; };
> esp_auth_alg { hmac_sha1; hmac_md5; };
> };
>
>
>
>
>
> ------------------------------------------------------------------------
> ´©Ô½µØÕð´ø ¼ÍÄîãë´¨µØÕðÒ»ÖÜÄê
> <http://512.mail.163.com/mailstamp/stamp/dz/activity.do?from=footer>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Support mailing list
> Support at ml.nautilus6.org
> http://ml.nautilus6.org/mailman/listinfo/support
>

More information about the Support mailing list